What CISOs need to keep CEOs (and themselves) out of jail
Former Uber CISO Joe Sullivan, who was convicted for attempting to cover up a data breach Uber suffered in 2016, recently posited that in the very near future, CEOs might find themselves held directly responsible for cybersecurity breaches.
Considering the changes in the Cyber Security Framework 2.0 (CSF 2.0) emphasizing governance and communication with the board of directors, Sullivan is right to assume that liability will not stop at the CISO and will likely move upwards.
In his essay, Sullivan urges CEOs to give CISOs greater resources to do their jobs. But if he’s talking about funding to purchase more security controls, this might be a hard sell for CEOs. Cybersecurity budget growth has consistently outpaced general IT spending. While cybersecurity budget growth slowed in 2022 and 2023 due to economic concerns, recent surveys of CISOs have reported strong growth in cybersecurity spending in enterprises.
For their part, CISOs know they have more security controls than they can manage: Tool sprawl and tool paralysis are known failings – line items for new cybersecurity controls are not the problem.
Four key steps: Airtime, metrics, internships and process monitoring
If more cash for new or expanded controls is not what’s needed, what can CEOs give to CISOs to reduce risk and ultimately shore up the legal liability faced by the CEOs themselves?
More airtime with the board of directors
Most boards of directors still lack context and understanding of the scope of the challenges facing cybersecurity teams today.
Part of this is due to a simple lack of exposure. Even as more and more regulatory bodies – including the SEC, the FTC, and CISA – have mandated stringent disclosure and cybersecurity planning for publicly registered entities, only a small minority of public companies have Technology Committees on their BoDs, let alone regular cybersecurity conversations to explore threats and risks.
Part of this is due to the misplacement of a cybersecurity audit under the general counsel or CFO office, which means it is a stepchild owned by a parent that is not native to its language or history. Regardless, dedicating 30 minutes in each BoD meeting for a discussion of cybersecurity challenges with the company CISO would help them build the political capital necessary to elevate cyber to a board-level concern.
A shared set of metrics published in quarterly reports
Any CEO who doesn’t think cybersecurity is a material issue to their company’s financial health has not been paying attention.
Change Healthcare, a subsidiary of publicly traded insurance giant, is facing what might be a billion-dollar incident recovery bill after a ransomware attack took its pharmacy verification and payment systems offline. Change Healthcare may also be facing billions in legal damages due to losses suffered by healthcare organizations and hospitals reliant on the service. In 2017, a breach due to an unpatched software component cost credit reporting agency Equifax over $1 billion, including legal fees, added customer service, and incident response.
CEOs would benefit from showing that they care about cybersecurity and adding metrics to company reports to demonstrate it is a significant concern. For CISOs, agreeing to a set of metrics with the CEO would provide a visible North Star and a forcing function for aligning resources and headcount to ensure metrics continue to trend in the right direction.
A cybersecurity internship program to bring in junior engineers
Even though cybersecurity teams deploy a lot of tech, people move the needle more than anything.
The shortage of cybersecurity professionals is worsening. According to ISC2, the world is lacking just under 4 million cybersecurity experts that it needs. This is despite the cyberforce increasing by nearly 10% in 2023.
In a highly competitive job market, hanging out a new job posting is not going to cut it. A growing array of technology companies, like IBM, are creating internship pipelines to find and train junior engineers from diverse backgrounds, such as junior colleges or less-known universities. While this approach requires more infrastructure and a viable curriculum, as well as some patience, it can yield a stronger pipeline of employees who can step right into a job with prior institutional knowledge of the systems they are guarding.
Continuous security process mapping and monitoring
While the human element is critical in shoring up cybersecurity, humans are also often the weakest link in the cybersecurity chain.
The overwhelming majority of major breaches and attacks involved human error. Most CISOs conduct red team exercises, use penetration testing or breach-and-attack simulation services or tools, and otherwise undertake measures to test incident response. Cyber forensic tools can help map out attack chains, and detailed root cause analysis can pinpoint specific failures in specific exercises. But CISOs lack continuous analysis of incident response and tend to focus only on the worst breaches, even if those may have only been possible due to previous “process debt” with cyber teams inadvertently leaving gaps in risk.
Due to the complexity of cybersecurity interactions and processes and the unpredictable nature of incident response, mapping security processes can be challenging. That said, the cases brought against CISOs have all hinged on allegations of deception and fraud. Such allegations are harder to defend in the absence of a system to automatically capture security processes and human behaviors, removing the risky gray area of “intent”. Newer solutions can apply process mapping and monitoring to security workflows, ensure both visibility and enforcement of best practices.
Conclusion: Collaboration with CISOs is essential
CEOs that are serious about cybersecurity must prioritize collaboration with their CISOs and putting them in the rotation for regular meetings. A healthy budget increase for tools may be necessary as AI injects many new risks, but it’s not sufficient nor is it the most important step.
CISOs need better people and better processes to deliver on promises of keeping the enterprise safe. Regulatory agencies are not only interested in competence but also intent and process as evidence of best efforts generally mandated under the law. Metrics are one North Star but visualizing and improving processes perpetrated by human engineers are equally relevant. As more CISOs face charges, CEOs should worry they might be next — and should start thinking about how to better cover their cyber assets and cyber teams.